Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2024-09-06 20:42:18
Message id: 20240906184218.ED32EFC74@cvs.NetBSD.org
Log Message:
go122: update to 1.22.7

This minor release includes 3 security fixes following the security policy:

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply \ 
nested literals can cause a panic due to stack exhaustion.

This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can \ 
cause a panic due to stack exhaustion.

This is a follow-up to CVE-2022-30635.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for \ 
reporting this issue.

This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

go/build/constraint: stack exhaustion in Parse

Calling Parse on a "// +build" build tag line with deeply nested \ 
expressions can cause a panic due to stack exhaustion.

This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
Files:
RevisionActionfile
1.215modifypkgsrc/lang/go/version.mk
1.10modifypkgsrc/lang/go122/distinfo